PCMan is OnlineNote(FYI):Notice the FTP Server is online.I apologize for the repetitive starting and stopping of the FTP Server.
Open fuzzer1.pl with leafpad (On Kali 1.0.5)Instructions:cd /var/tmp/BUFFER/PCMan
leafpad fuzzer1.pl
Note(FYI):Arrow #1, Use (cd) to navigate to the (/var/tmp/BUFFER/PCMan) directory.
Arrow #2, Use (leafpad) to open (fuzzer1.pl). Leafpad is a simple GTK+ based text editor. The user interface is similar to Windows(tm) notepad.
Explain fuzzer1.pl (Command Line Arguments) (On Kali 1.0.5)Instructions:Select Options and Check Word Wrap and Line Numbers.
Scroll Down to Line 17
Note(FYI):Arrow #2, The script (fuzzer1.pl) take in three command line arguments: IPADDRESS, PORT and COUNT.Eg., ./fuzzer1.pl 192.168.2.106 21 2020
IPADDRESS - Is the IP Address associated with the attack vector.
PORT - Is the Port associated with the attack vector server.
COUNT - Is the number of character that will be sent to the particular IPADDRESS and PORT.
Explain fuzzer1.pl Essential Variables (On Kali 1.0.5)Instructions:Arrow #1 [Line 37], The ($header) variable is composed of the string (USER) plus a single . The characters that come after the (USER ) string is the actual username. (Eg. JOHNDOE or AAAA[2200]AAAAs...)
Arrow #2 [Line 42], The ($junk) variable will actually contain the username that will be supplied immediately after the $header. Ultimately, the $junk variable will used to overflow the USER variable within PCMan. Normal Usage: E.g.,USER JOHNDOE
Ab-Normal Usage: E.g., USER AAAA[2200]AAAA...
Arrow #3 [Line 46], The ($string) variable contains the Hexademical representation for an A (e.g., x41) multiplied by the OFFSET_COUNT. In the below example, 2200 A's would be sent to PCMan. E.g., ./fuzzer1.pl 192.168.2.106 21 2200
Arrow #4 [Line 49], The ($socket) variable is used to create a TCP connection to an $IPADDRESS over a $PORT.
Arrow #5 [Line 53], The function $socket->send($string) is used to send the $string composed of (USER AAAA[2200]AAAA...) to the specified $IPADDRESS and $PORT.
Arrow #6 [Line 57], The functionclose($socket) will close the TCP connection.
Arrow #7, Click the icon to close leafpad.
PCMan Fuzz Test (Part 1) (On Kali 1.0.5)Note(FYI):Replace (192.168.2.106) with your Damn Vulnerable WXP-SP2 Address found in (Section 1, Step 7).
Instructions:cd /var/tmp/BUFFER/PCMan
./fuzzer1.pl
./fuzzer1.pl192.168.2.106 21 10
./fuzzer1.pl192.168.2.106 21 100
./fuzzer1.pl192.168.2.106 21 1000
Note(FYI):Arrow #1, Use (cd) to navigate to the (/var/tmp/BUFFER/PCMan) directory.
Arrow #2, Use (fuzzer1.pl) to see which parameters are required for the program to execute as designed. No buffer overflow will occur for (Arrows #3-#5). ./fuzzer1.pl
./fuzzer1.pl192.168.2.1062110
Arrow #3, Use (fuzzer1.pl) to send 10 A's to (192.168.2.106) over port 21.
Arrow #4, Use (fuzzer1.pl) to send 100 A's to (192.168.2.106) over port 21.
Arrow #5, Use (fuzzer1.pl) to send 1000 A's to (192.168.2.106) over port 21.
Review of Initial Fuzzing Test (Part 1) (On Damn Vulnerable WXP-SP2)Instructions:Notice that 10's were sent and the User name is okay.
Notice that 100's were sent and the User name is okay.
Notice that 1000's were sent and the User name is okay.
Note(FYI):Arrows #1-#3, The goal of fuzzing is to find out the following: (1) at what point will the application fail to work as designed, (2) at what point will the application crash, and (3) at what point will the application allow exploitation to occur.
Accordingly, we are not at that point yet.
Exit PCManInstructions:--> (See Picture)
Click the Yes Button
Note(FYI):It is really not necessary to exit PCMan at this point. The purpose of exiting is to clear the application input and output streams.
Start PCMan FTP Server (On Damn Vulnerable WXP-SP2)Instructions:Right Click on PCMANFTPD2
Click on Open
PCMan is OnlineNote(FYI):Notice the FTP Server is online.I apologize for the repetitive starting and stopping of the FTP Server.
Run OLLYDBGInstructions:Right Click on the OLLYDBG Desktop Icon
Select Open
Attach OLLYDBG to PCMan Process (Part 1)Instructions:File --> Attach
Attach OLLYDBG to PCMan Process (Part 2)Instructions:Click on PCManFTPD2
Click on the Attach Button
Note(FYI):Arrow #1, Make sure PCManFTPD2 is highlighted in light gray.
Arrow #2, OLLYDBG is an x86 debugger that will allow us to view and trace memory locations, registers, determine offsets, determine which DLLs are used, and a lot more.
OllyDbg Views Briefly ExplainedNote(FYI):Arrow #1, The upper left window pain represents assembler instructions being executed by the program.
Arrow #2, The lower left window pain provides a map of Memory to Hex to ASCII.
Arrow #3, The upper right window pain represent registers that will help in our future buffer overflow interrogation.
Arrow #4, The lower right window pain represents actual memory stack, which will be used in conjunction with the Structured Exception Handler (SEH) Chain.
Start OllyDbgInstructions:Notice that OllyDbg is currently paused ().
Click the Play Icon () and paused () will change to running ()
Click PCMan located in the taskbar ()
Note(FYI):Arrow #1, PCMan is kind of in a locked stated until the Play Icon is clicked.
Arrow #3, You are asked to click on PCMan in the task tray to bring the PCMan application to foreground, so you can watch the subsequent buffer overflow attempts.
Open fuzzer2.pl (On Kali 1.0.5)Instructions:leafpad fuzzer2.pl
Note(FYI):Arrow #1, Use (leafpad) to open (fuzzer2.pl). Leafpad is a simple GTK+ based text editor. The user interface is similar to Windows(tm) notepad.
View fuzzer2.pl Standard InputInstructions:Select Options and Check Word Wrap and Line Numbers.
Arrow #2 [Line 21], This is a sub routine called &get_info. It calls the program to move and execute the lines of code between 24 to 53.
Arrow #3 [Line 27], The ($target) variable receives user input pertaining to the IP Address.
Arrow #4 [Line 30], The ($port) variable receives user input pertaining to the Port Number.
Arrow #5 [Line 33], The ($start_fuzz) variable receives user input pertaining to the starting number of characters sent to the PCMan USERNAME. (E.g., Start at 2000 AAAA's).
Arrow #6 [Line 36], The ($end_fuzz) variable receives user input pertaining to the ending number of characters sent to the PCMan USERNAME. (E.g., End at 3000 AAAA's).
Note(FYI):Arrows #2-6, is a perl function used in this method to receive user input data from the keyboard.
Explain fuzzer2.pl (&comment Sub Routine)Instructions:Arrow #1 [Line 40], IF any of the variables $target -or- $port -or- $start_fuzz -or- $end_fuzz are blank, THEN display usage and exit the program.
Arrow #2 [Line 51], IF the above statement in Line 40 is FALSE, THEN execute the &commence sub routine.
Arrow #2 [Line 51-60], Send the following variables ($target,$port,$start_fuzz,$end_fuzz) to Line 55.
Note(FYI):Arrows #3, Notice the following:$target in Line 51 is received $target in Line 57.
$port in Line 51 is received $port in Line 58
$start_fuzz in Line 51 is received $start_fuzz in Line 59
$end_fuzz in Line 51 is received $end_fuzz in Line 60
Explain fuzzer2.pl (While Loop and Time Out)Instructions:Arrow #1 [Line 71], Keep the program running inside of the while loop, IF a socket can still be establish to the IP/Port -AND- IF the $end_fuzz count has not been exceeded. The ($end_fuzz) is the amount of characters that you want the program to stop at you were unable to crash the program.
Arrow #2 [Line 75], Create a network TCP socket to IP($target) and Port($port). The timeout is set to 1 second. It also correspond to my alarm on line 83.
Arrow #1 [Line 77,81-83], The ($buff_num) is the number of characters we previously sent the application. If the socket times out, then we gently send a signal (Line 83) to print (Line 82) that the application crashed.
Note(FYI):Arrows #1-4, The purpose of explaining the code is so you become proficient at understanding how something works (whether it is primitive or not), as opposed to only being a tool jockey. It's nice to have the ability and confidence to write your own vulnerability scanner, before having to wait the next day or paying big bucks to somebody else.
Explain fuzzer2.pl (Socket Determination)Instructions:Arrow #1 [Line 92], IF a TCP socket was established to IP($target) and Port($port), THEN execute Lines 92 to 101.
Arrow #2 [Line 100], Send the IP($target), Port($port), and the FUZZER_COUNT($num) to the fuzzer sub routine.
Arrow #2 [Line 92,102-109], IF a TCP socket was NOT established to IP($target) and Port($port), THEN exit the program.
Explain fuzzer2.pl (Send Fuzzer String)Instructions:Arrow #1[Line 122-124], Variables $target, $port, and $fuznum received arguments from the sub routine &fuzzer($target,$port,$num).
Arrow #2[Line 126], Assign the $header variable to "USER ".
Arrow #3[Line 130-132], Assign the $socket variable to the IP($target) and Port($port). IF the $socket was created, THEN move into the first set of curly braces.
Arrow #4[Line 134], Assign the $exploit variable to the product of the hexadecimal value for A(x41) multiple by the $fuznum. So, if the $fuznum is 2200, then there would be 2200 A's(41) assigned to the $exploit variable.
Arrow #5[Line 135], Assign the $string variable to "USER AAAAAA....".
Arrow #6[Line 137], Print or Send the $string to the $socket. This is the line that will eventually cause a buffer overflow.
Arrow #7 [Line 132,147-153], IF the $socket was not created, THEN exit the program.
Click the icon to close leafpad.
Note(FYI):Arrows #1-6, The purpose of this function is to test how many characters sent to the PCMan USER variable is requiredto crash the application.
PCMan Fuzz Test using fuzzer2.pl (On Kali 1.0.5)Note(FYI):Replace (192.168.2.106) with your Damn Vulnerable WXP-SP2 Address found in (Section 1, Step 7).
Instructions:./fuzzer2.pl
Enter IP Address:192.168.2.106
Enter Port Number: 21
Enter Fuzz Start Number: 1999
Enter Fuzz Stop Number: 2020
My crash number is2001, record your crash number
Note(FYI):Arrow #1, Use (fuzzer2.pl) to sequentially enumerate several buffer overflow attempts, until PCMan crashes, in which OllyDbg will fail back to Paused Mode.
Arrow #4-#5, The start (1999) and Stop (2020) Fuzz numbers where derived from Master Peleus' article.
Arrow #6, In my case, the fuzzer was unable to communicate with PCMan after sending 2001 A's (ie., A = x41).
Viewing OllyDbg Results (On Damn Vulnerable WXP-SP2)Instructions:Notice that OllyDbg is currently paused () because PCMan crashed.
Notice the EBP register that contains the string (41410002).
See below Note(FYI) section for EPI details.
Note(FYI):Arrow #2, The EBP is a non-volatile general-purpose register that has two distinct uses depending on compile settings: (1) it is either the frame pointer or a (2) general purpose register. EBP keeps track of where the stack is at the beginning of a function. In case, you can see it was storing 2 bytes of AA's(41 41 00 02).
Arrow #3, The EIP register always contains the address of the next instruction to be executed. Our goal over the next sections is to determine the exact offset so we can control what is placed in the EIP. If we can accomplish this task, then we have a high probability to be able to later tell the EIP (ie the pointer to the next instruction) to execute our shell code instead of the application immediately crashing. :-)
Copy the EIPInstructions:Left Click to Highlight, then Right Click on the EIP
Click Copy selection to clipboard
Click the Close Icon ().
Using pattern_offset.rb (On Kali 1.0.5)Note(FYI):Replace (0012FE44) with your EIP value obtained in the previous step. You should be able to paste if you have VMware Tools installed.
Instructions:/usr/share/metasploit-framework/tools/pattern_offset.rb0012FE44
Notice the Offset was not found.
Note(FYI):Arrow #1, Use (pattern_offset.rb) to "try" to determine the exact length of the EIP address (0012FE44). Remember the offset is number of bytes necessary to occur before the EIP would be over overwritten.
Arrow #2, No exact matches will occur because the address is invalid. Accordingly, the following section will teach you how to determine the offset, using a valid address.
Section 12: PCMan Fuzz Test Using pattern_create.rb and pattern_offset.rbSection NotesNotes(FYI):The previous section provided you with a very primitive way to determine how many character it takes to crash PCMan. However, just opening up the virtual fire hose and pointing it at an application is not accurate enough to determining the buffer offset.
Fortunately, the Metasploit framework has two sister tools (pattern_create.rb and pattern_offset.rb) that allow usprecisely determine which 4 bytes will overwrite the EIP.
PCMan Fuzz Test (On Kali 1.0.5)Instructions:/usr/share/metasploit-framework/tools/pattern_create.rb 2200 tee pattern.txt
ls -l pattern.txt
Note(FYI):Arrow #1, Use (pattern_create.rb) to create a unique pattern of 2200 characters. Instead of sending all (A's) to crash PCMan, we will send this unique string instead. The result value contained in the EIP register can then be used with pattern_offset.rb to determine the exact offset. Use (tee) to display the output and place that output in a file call (pattern.txt).
Arrow #2, Use (ls -l) to display the files general information (privileges, ownerships, byte size, last update and name).
Open fuzzer3.pl (On Kali 1.0.5)Instructions:leafpad fuzzer3.pl
Note(FYI):Arrow #1, Use (leafpad) to open (fuzzer3.pl). Leafpad is a simple GTK+ based text editor. The user interface is similar to Windows(tm) notepad
Explain fuzzer3.pl (Command Line Arguments)Instructions:Select Options and Check Word Wrap and Line Numbers.
Arrow #2 [Line 17-18], Assign $IPADDRESS and $PORT to their corresponding command line arguments.
Arrow #3, [Line 20-27], IF either $IPADDRESS -or- $PORT was not provided via the command line, THEN exit the program.
Explain fuzzer3.pl (Does pattern.txt Exist)Instructions:Arrow #1 [Line 30-38], IF the file (pattern.txt) that you created in (Section 12, Step 1) does not exit, THEN exit the program.
Arrow #2, [Line 46], Assign the ($header) variable to "USER". In order to provide a username to a FTP server (ie PCMan), you must first specify the string (USER) followed by a and then the actual username. E.g., (USERJOHNDOE)
Arrow #3, [Line 52], Use (cat) to assign the ($junk) variable to the entire string of characters located in the file (pattern.txt). The ($junk) variable will actually be the fake username that will follow the header string(USER).E.g., $junk = "Aa0Aa1Aa2Aa3Aa4..."
Arrow #4, [Line 56], Assign the ($string) variable to contain the combination of the ($header) variable with the ($junk) variable appended.E.g., (USERAa0Aa1Aa2Aa3...)
View fuzzer3.pl (Establish Socket, Send Data)Instructions:Arrow #1 [Line 59], Establish a TCP Network Socket Connection and assign to the ($socket) variable.
Arrow #2, [Line 63], Use $socket->send($string) to send the ($string) variable to the $socket TCP Network Connection.
Arrow #3, [Line 63], Use close($socket) to close the $socket TCP Network Connection.
Click the icon to close leafpad.
Start PCMan FTP Server (On Damn Vulnerable WXP-SP2)Instructions:Right Click on PCMANFTPD2
Click on Open
PCMan is OnlineNote(FYI):Notice the FTP Server is online.I apologize for the repetitive starting and stopping of the FTP Server.
Run OLLYDBGInstructions:Right Click on the OLLYDBG Desktop Icon
Select Open
Attach OLLYDBG to PCMan Process (Part 1)Instructions:File --> Attach
Attach OLLYDBG to PCMan Process (Part 2)Instructions:Click on PCManFTPD2
Click on the Attach Button
Note(FYI):Arrow #1, Make sure PCManFTPD2 is highlighted in light gray.
Arrow #2, OLLYDBG is an x86 debugger that will allow us to view and trace memory locations, registers, determine offsets, determine which DLLs are used, and a lot more.
Start OllyDbgInstructions:Notice that OllyDbg is currently paused ().
Click the Play Icon () and paused () will change to running ()
Click PCMan located in the taskbar ()
Note(FYI):Arrow #1, PCMan is kind of in a locked stated until the Play Icon is clicked.
Arrow #3, You are asked to click on PCMan in the task tray to bring the PCMan application to foreground, so you can watch the subsequent buffer overflow attempts.
PCMan Fuzz Test Using fuzzer3.pl (On Kali 1.0.5)Note(FYI):Replace (192.168.2.106) with your Damn Vulnerable WXP-SP2 Address found in (Section 1, Step 7).
Instructions:./fuzzer3.pl192.168.2.106 21
Note(FYI):Arrow #1, Use (fuzzer3.pl) to send the unique string of 2200 characters created by pattern_create.rb to PCMan.
Viewing OllyDbg Results (On Damn Vulnerable WXP-SP2)Instructions:Notice that OllyDbg is currently paused () because PCMan crashed.
Notice that both the ESP and ESI register points to strings that contain a bunch of unique junk.
Left Click on the EIP Value, Right Click to popup a menu.
Copy Selection to clipboard.
Click the Close Icon ().
Note(FYI):Arrow #3-4, Make sure you copy your EIP value instead of mine. It's very possible that yours will be different.
Open NotepadInstructions:Click the Start Button
All Programs --> Accessories --> Notepad
Paste EIP ValueInstructions:Edit --> Paste
Save FileInstructions:File --> Save As...
Navigate to the following FolderC:\BUFFER\PCMan
File name: eip_value.txt
Click the Save Button
Note(FYI):We are saving the address just encase you are unable to paste it in the next step.
Using pattern_offset.rb (On Kali 1.0.5)Note(FYI):Replace (386F4337) with your EIP value obtained in the previous step. You should be able to paste if you have VMware Tools installed.
Instructions:/usr/share/metasploit-framework/tools/pattern_offset.rb386F4337
Record your Offset. In my case, it is 2003.
Note(FYI):Arrow #1, Use (pattern_offset.rb) to determine the exact length of the EIP address (386F4337).
Arrow #2, Make sure you record your offset. It is important to note that2003 bytes occur (in my case) before the EIP can be overwritten.
PCMan’s FTP Server 2.0.7 – Buffer Overflow Exploit
2ff7e9595c
Comments